On 02/18/2016 10:24 AM, Louis Munro wrote:
This is what I have come up with for now:
iptables -I INPUT -p tcp -m tcp --sport 53 -m length --length 1024:4096
-j DROP
iptables -I INPUT -p udp -m udp --sport 53 -m length --length 1024:4096
-j DROP
4096 is really just some large number here.
I could go higher if jumbo frames might be involved.
Generic Receive Offload (GRO) may be sufficient to get larger segments
even without JumboFrames. If you want duct-tape added to the belt and
suspenders, you might consider taking it out to 65535 - I'm pretty sure
that nothing will "GRO" beyond that size.
Of course, this is a band-aid solution.
There is no substitute for updating glibc in the end.
Indeed.
But I digress, this is getting off track and is not really relevant to
this list.
Perhaps, but it does go to how long one might be expected to carry along
bandaids/kludges in the likes of dnsmasq.
rick jones
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss